This is the accessible text file for GAO report number GAO-11-232T
entitled 'Personal Security Clearances: Overall Progress Has Been Made
to Reform the Governmentwide Security Clearance Process' which was
released on December 1, 2010.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Testimony:
Before the Subcommittee on Intelligence Community Management,
Permanent Select Committee on Intelligence, U.S. House of
Representatives:
United States Government Accountability Office:
GAO:
For Release on Delivery:
Expected at 1:00 p.m. EDT:
Wednesday, December 1, 2010:
Personal Security Clearances:
Overall Progress Has Been Made to Reform the Governmentwide Security
Clearance Process:
Statement of Brenda S. Farrell, Director:
Defense Capabilities and Management:
GAO-11-232T:
[End of section]
Madam Chairwoman, Ranking Member Myrick, and Members of the
Subcommittee:
Thank you for the opportunity to be here today to discuss our key
findings and recommendations in our report that we are releasing today
on some aspects of personnel security clearance reforms. As you know,
we conducted our review in response to a request from you, Madam
Chairwoman, and Mr. Holt. This is the fourth in a series of hearings,
in which you have asked GAO to testify; and this Subcommittee's
continued oversight has helped focus attention on the need for
personnel security reform.
Personnel security clearances allow government and industry personnel
to gain access to classified information that through unauthorized
disclosure, can in some cases cause exceptionally grave damage to U.S.
national security. The July 2010 and subsequent October 2010 recent
unauthorized leak of almost 500,000 classified documents posted to the
Internet related to the ongoing war in Afghanistan and Iraq provides a
cogent example of the inherent risks involved when granting an
individual a security clearance. To ameliorate these risks, government
agencies rely on a multiphased personnel security clearance process.
However, with the increase in demand over the past decade for
personnel with security clearances, we and others have identified
problems with the security clearance process with respect to delays
and incomplete documentation. As a result, we have designated the
Department of Defense's (DOD) clearance program--which represents a
vast majority of the initial security clearances adjudicated by the
federal government--as a high-risk area since 2005.[Footnote 1]
In light of long-standing concerns regarding delays in processing
clearances and other issues, Congress set objectives and established
requirements for improving the clearance process in section 3001 of
the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA).
[Footnote 2] IRTPA established objectives for timeliness, requirements
for reciprocity--an agency's acceptance of a background investigation
or clearance determination completed by any authorized investigative
or adjudicative agency--and an integrated, secure database to house
clearance information. In 2007, DOD and the Office of the Director of
National Intelligence (ODNI) formed the Joint Security Clearance
Process Reform Team, known as the Joint Reform Team, to transform the
security clearance process governmentwide.[Footnote 3] In the
following year, Executive Order 13467 was issued, establishing the
Suitability and Security Clearance Performance Accountability Council
(Performance Accountability Council) that is responsible for driving
the implementation of reform and is accountable to the President for
achieving the reform effort's goals. This governance structure was put
in place, in part, to sustain the momentum of clearance reforms. (See
figure 1 for key events related to security clearance reform.)
Figure 1: Key Events Related to the Security Clearance Reform Effort:
[Refer to PDF for image: time line]
December 17, 2004:
Intelligence Reform and Terrorist Prevention Act passed.
January 2005:
Government Accountability Office places Department of Defense’s
clearance program on its high-risk list.
June 27, 2005:
Executive Order 13881 designates the Office of Management and Budget
the single entity to ensure centralization, uniformity, and
reciprocity of security clearance policies.
November 2005:
Office of Management and Budget issues a plan for improving the
security clearance process.
June 25, 2007:
The Joint Reform Team is formed to develop a plan for clearance
reform, including research priorities and an information technology
strategy, to achieve IRTPA goals.
April 30, 2008:
The Joint Reform Team issues a report on reforming the security
clearance and suitability process.
June 30, 2008:
Executive Order 13467 establishes the Performance Accountability
Council to drive implementation of the reform effort and designated
the Office of Management and Budget’s Deputy Director for Management
as Chair.
December 18, 2008:
The Joint Reform Team issues a report outlining reform progress and
further plans.
March 17, 2009:
The Joint Reform Team issues an Enterprise Information Technology
Strategy to support the reformed security and suitability process.
February 16, 2010:
The Performance Accountability Council issues a strategic framework to
articulate the goals of the security and suitability process reform.
May 31, 2010:
The Performance Accountability Council develops quality measures[A]
that it believes will identify specific quantifiable targets linked to
goals that are intended to be measured objectively and ultimately
gauge progress and assess the quality of the personnel security
clearance process.
Source: GAO analysis.
[A] The Quality Metrics are proposed measures.
[End of figure]
We have previously noted that top leadership must be committed to
organizational transformation.[Footnote 4] To this end, committed
executive leadership has worked to reform the personnel security
clearance process by improving timeliness and developing quality
measures. Congressional oversight through hearings held by this
subcommittee in February, July, and September 2008 and in October 2009
has helped focus attention on the need for security clearance reform.
[Footnote 5] In addition, the recently passed Intelligence
Authorization Act for Fiscal Year 2010 requires reports by the
President on the security clearance process, including information on
timeliness and quality.[Footnote 6]
As noted earlier, my statement today will highlight the key findings
and recommendations from the report we are issuing today.
Specifically, I will focus on the extent to which select executive
branch agencies (1) investigate and adjudicate initial personnel
security clearance applications for civilian, military, and industry
personnel in a timely manner; (2) honor previously granted personnel
security clearances and the challenges, if any, that exist related to
reciprocity; and (3) share personnel clearance information in a
single, integrated database.
The scope of our audit work included DOD,[Footnote 7] select agencies
within the Intelligence Community,[Footnote 8] and a nonprobability
sample of six executive branch agencies that use the Office of
Personnel Management (OPM) to conduct background investigations.
[Footnote 9] The agencies we selected in our review account for
approximately 98 percent of initial clearance cases governmentwide
annually. To assess timeliness, reciprocity, and the sharing of
information in a single, integrated database, we analyzed the
requirements specified in IRTPA related to timeliness, reciprocity,
and the creation of a single database; obtained and reviewed first,
second and third quarter data for fiscal year 2010 on executive branch
agencies, including Intelligence Community agencies, provided by the
Performance Accountability Council Subcommittee on Performance
Measures and Management, which were current as of August 2010;
obtained and reviewed quarterly data for the executive branch agencies
provided by OPM for the same time periods; and analyzed executive
branch reports to Congress, executive orders, OPM memorandums, and
agency guidance related to security clearances.[Footnote 10] To
supplement our analysis, we also interviewed agency officials,
security managers, and adjudicators from our selected list of agencies
that are knowledgeable about timeliness, reciprocity and security
clearance databases. We assessed the reliability of the data and
determined that the data are sufficiently reliable for our purposes.
Our review was performed from October 2009 through November 2010 in
accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe
that the evidence obtained provides a reasonable basis for our
findings and conclusions based on our objectives.
Significant Overall Progress has been Made to Improve Timeliness, but
Some Agencies Continue to Face Challenges in Meeting Timeliness
Objectives:
As we note in our report, significant overall progress has been made
to improve timeliness, largely due to DOD, which comprises the vast
majority of clearances. IRTPA established an objective for each
authorized adjudicative agency to "make a determination on at least 90
percent of all applications for a personnel security clearance within
an average of 60 days from the date of receipt of the completed
application by an authorized investigative agency" by December 17,
2009.[Footnote 11] This means that under the current statutory
timeliness objective, the executive branch can exclude the slowest 10
percent and then report on an average of the remaining clearances.
IRTPA includes 40 days for investigations and 20 days for
adjudications within this 60-day average period. As shown in figure 2,
DOD, the Department of Energy, and the National Geospatial-
Intelligence Agency met the 60-day timeliness objective in all three
quarters of fiscal year 2010. We also found that timeliness varied
widely among executive branch agencies. During the first three
quarters of fiscal year 2010, the average for the fastest 90 percent
of cases adjudicated by the 14 agencies included in our review ranged
from 22 to 96 days for investigation timeliness, 2 to 59 days for
adjudication timeliness, and 30 to 154 days for combined timeliness.
[Footnote 12]
Figure 2: Average Of The Fastest 90 Percent Of Initial Clearance Cases
For Select Executive Branch Agencies:
[Refer to PDF for image: illustrated table]
No delegated authority[A]:
Department of Defense[B]:
Investigations (40 days):
First quarter: 42 days;
Second quarter: 45 days;
Third quarter: [Check];
Adjudication (20 days):
First quarter: [Check];
Second quarter: [Check];
Third quarter: [Check];
Combined (60 days):
First quarter: [Check];
Second quarter: [Check];
Third quarter: [Check].
Department of Homeland Security:
Investigations (40 days):
First quarter: 48 days;
Second quarter: 51 days;
Third quarter: 49 days;
Adjudication (20 days):
First quarter: 48 days;
Second quarter: 59 days;
Third quarter: 57 days;
Combined (60 days):
First quarter: 96 days;
Second quarter: 110 days;
Third quarter: 106 days.
Department of Energy:
Investigations (40 days):
First quarter: 47 days;
Second quarter: 45 days;
Third quarter: 44 days;
Adjudication (20 days):
First quarter: [Check];
Second quarter: [Check];
Third quarter: [Check];
Combined (60 days):
First quarter: [Check];
Second quarter: [Check];
Third quarter: [Check].
Department of Justice:
Investigations (40 days):
First quarter: 60 days;
Second quarter: 68 days;
Third quarter: 63 days;
Adjudication (20 days):
First quarter: 42 days;
Second quarter: 44 days;
Third quarter: 28 days;
Combined (60 days):
First quarter: 102 days;
Second quarter: 112 days;
Third quarter: 91 days.
Department of the Treasury:
Investigations (40 days):
First quarter: 54 days;
Second quarter: 56 days;
Third quarter: 52 days;
Adjudication (20 days):
First quarter: 54 days;
Second quarter: 27 days;
Third quarter: 46 days;
Combined (60 days):
First quarter: 108 days;
Second quarter: 83 days;
Third quarter: 98 days.
Department of Health and HUman Services:
Investigations (40 days):
First quarter: 52 days;
Second quarter: 53 days;
Third quarter: 47 days;
Adjudication (20 days):
First quarter: [Check];
Second quarter: [Check];
Third quarter: [Check];
Combined (60 days):
First quarter: 65 days;
Second quarter: 70 days;
Third quarter: [Check].
Department of Veterans Affairs:
Investigations (40 days):
First quarter: 54 days;
Second quarter: 78 days;
Third quarter: 70 days;
Adjudication (20 days):
First quarter: 31 days;
Second quarter: [Check];
Third quarter: 26 days;
Combined (60 days):
First quarter: 85 days;
Second quarter: 93 days;
Third quarter: 96 days.
Delegated authority[A]:
Defense Intelligence Agency:
Investigations (40 days):
First quarter: 55 days;
Second quarter: [Check];
Third quarter: 49 days;
Adjudication (20 days):
First quarter: [Check];
Second quarter: [Check];
Third quarter: [Check];
Combined (60 days):
First quarter: 80 days;
Second quarter: 68 days;
Third quarter: 78 days.
National Security Agency[C]:
Investigations (40 days):
First quarter: 70 days;
Second quarter: 59 days;
Third quarter: 49 days;
Adjudication (20 days):
First quarter: [Check];
Second quarter: [Check];
Third quarter: [Check];
Combined (60 days):
First quarter: 80 days;
Second quarter: 68 days;
Third quarter: [Check].
National Geospatial-Intelligence Agency;
Investigations (40 days):
First quarter: [Check];
Second quarter: [Check];
Third quarter: [Check];
Adjudication (20 days):
First quarter: 31 days;
Second quarter: [Check];
Third quarter: [Check];
Combined (60 days):
First quarter: [Check];
Second quarter: [Check];
Third quarter: [Check].
Central Intelligence Agency:
Investigations (40 days):
First quarter: 78 days;
Second quarter: 85 days;
Third quarter: 96 days;
Adjudication (20 days):
First quarter: 49 days;
Second quarter: 47 days;
Third quarter: 58 days;
Combined (60 days):
First quarter: 127 days;
Second quarter: 132 days;
Third quarter: 154 days.
Federal Bureau of Investigations:
Investigations (40 days):
First quarter: 76 days;
Second quarter: 75 days;
Third quarter: [Check];
Adjudication (20 days):
First quarter: [Check];
Second quarter: [Check];
Third quarter: [Check];
Combined (60 days):
First quarter: 82 days;
Second quarter: 78 days;
Third quarter: [Check].
National Reconnaissance Office:
Investigations (40 days):
First quarter: [Check];
Second quarter: [Check];
Third quarter: [Check];
Adjudication (20 days):
First quarter: 31 days;
Second quarter: 58 days;
Third quarter: 36 days;
Combined (60 days):
First quarter: [Check];
Second quarter: 85 days;
Third quarter: 62 days.
Department of State:
Investigations (40 days):
First quarter: 43 days;
Second quarter: 47 days;
Third quarter: 48 days;
Adjudication (20 days):
First quarter: [Check];
Second quarter: [Check];
Third quarter: [Check];
Combined (60 days):
First quarter: [Check];
Second quarter: 54 days;
Third quarter: [Check].
Source: Performance Accountability Council data.
Note: The data provided by the Performance Accountability Council was
provided in August 2010. We assessed the reliability of the data and
determined that the data are sufficiently reliable for our purposes.
[A] Agencies without delegated authority rely on OPM to conduct their
background investigations, while agencies with delegated authority
have been authorized to conduct their own background investigations.
As such, timeliness data for agencies without delegated authority are
a reflection of OPM's timeliness.
[B] DOD's clearance workload comprises a vast majority of clearances.
The Performance Accountability Council timeliness reports on initial
clearances include DOD secret/confidential renewal cases. A prior GAO
review and OPM officials' estimates of DOD clearance timeliness in
fiscal year 2009 indicated that confidential and secret level
clearances, whether initial or renewal, generally took the same amount
of time to investigate. Furthermore, the Defense Personnel Security
Research Center - a DOD entity dedicated to improving the
effectiveness, efficiency, and fairness of the DOD personnel security
system - issued a working paper that showed that average adjudication
timeliness did not substantially differ between initial and renewal
secret clearance cases for DOD using first, second, and third quarters
of data for fiscal year 2008.
[C] According to National Security Agency officials, because of the
nature of the National Security Agency's initiation and investigation
requirements, reported investigation times include additional steps,
such as suitability determination investigations.
[End of figure]
Based on our discussions with agency officials, we identified a number
of challenges to agencies meeting IRTPA timeliness objectives,
including variances among the agencies in adopting information
technology due to resource and personnel limitations, and additional
agency-specific requirements that must be met before granting a
security clearance. For example, agency officials with whom we spoke
explained that there is a variance in agencies' adoption of the
Electronic Questionnaire for Investigation Processing (e-QIP).
According to these officials, e-QIP has sped up investigation
timeliness for agencies that have adopted this technology because it
provides OPM with more complete and better quality data earlier in the
process. However, resource constraints are a limiting factor in
agencies' adoption of this type of technology. In addition, agency-
specific requirements can affect timeliness. For example, timeliness
for the Intelligence Community has varied because of unique issues
related to conditions of employment that require polygraphs or
psychological evaluations that extend beyond the standard background
investigation.
The Performance Accountability Council is responsible for driving
implementation of the reform effort and ensuring accountability, but
has not reported on the impediments to meeting timeliness objectives
or plans to address impediments. IRTPA's security clearance reform
provision requires annual reports to the appropriate congressional
committees--through 2011--on the progress made during the preceding
year toward meeting its requirements, including timeliness data and a
discussion of any impediments to the smooth and timely functioning of
its requirements.[Footnote 13] However, in its most recent report to
Congress, the Performance Accountability Council did not provide
information on the impediments agencies face in meeting timeliness
objectives or plans to address impediments. While the Office of the
Director of National Intelligence, in the capacity as Security
Executive Agent, has performed a limited number of oversight audits,
according to officials we met with at four agencies, the Performance
Accountability Council has not met with them to identify the
impediments to meeting the timeliness objectives. The Performance
Accountability Council has focused its efforts on DOD due, in part, to
the DOD security clearance program's designation as one of GAO's high-
risk areas, as well as the fact that DOD clearances comprise the vast
majority of clearance cases that are processed annually. We found that
because of the relative size of DOD's clearance program, DOD's
progress toward meeting IRTPA's timeliness objectives is a significant
factor in reducing the average time required for clearance processing
for the government as a whole. However, the Performance Accountability
Council's February 2010 annual report to Congress lacked an
identification of the impediments other agencies face to meeting
timeliness objectives and did not identify mitigation strategies or
action plans. Furthermore, the Performance Accountability Council
officials stated that, they began conducting one-on-one meetings with
individual agencies in September 2010 to enhance communication, assist
in implementation planning, and provide a feedback mechanism for
agency stakeholders to communicate information and needs to the Joint
Reform Team.
To further improve timeliness across the federal government, we
recommended that the Deputy Director of Management, Office of
Management and Budget, in the capacity as Chair of the Performance
Accountability council, collaborate with agencies that are not meeting
timeliness objectives to take the following actions: (1) identify
challenges to timeliness; (2) develop mitigation strategies to enable
each agency to comply with the IRTPA timeliness objectives; (3) set
timelines for accomplishing the required actions; (4) monitor agency
progress; and (5) report on these plans and progress in the annual
reports to Congress. OMB concurred with our recommendation, noting
through oral comments that the Performance Accountability council was
committed to the timeliness goals of IRTPA and that it was working
with agencies currently not meeting the IRTPA timeliness goals by
taking steps to assist these agencies. As noted in my statement today,
we are strongly encouraged by the progress that the Performance
Accountability Council has made over the last few years to reduce
overall timeliness. If implemented in accordance with our
recommendations, the Performance Accountability Council's actions to
assist the agencies in developing plans to implement the reformed
approach appear to be a positive step in helping sustain the momentum
of security clearance reform.
Executive Agencies Often Grant Reciprocity, Although Challenges Exist
to Measuring and Tracking Reciprocity:
Agency officials stated that they routinely take steps to honor
previously granted security clearances; however, there are no
governmentwide metrics to comprehensively track when and why
reciprocity is granted or denied. IRTPA generally requires that all
security clearance investigations and determinations be accepted by
all agencies, with limited exceptions when necessary for national
security purposes.[Footnote 14] Further, ODNI guidance signed in
October 2008 amplifies this reciprocity requirement, stating that
except in limited circumstance, all Intelligence Community elements
are to "accept all in-scope security clearance or access
determinations."[Footnote 15] Similarly, the Office of Management and
Budget (OMB) issued guidance[Footnote 16] requiring agencies to
reciprocally accept clearances when the prior clearance is current, in-
scope,[Footnote 17] and there is no new derogatory information, among
other things. However, agency officials stated that in some cases,
they find it necessary to take additional steps to address limitations
with available information before granting a reciprocal clearance. For
example, although no single, integrated database exists and
information currently being shared between agencies may be
insufficient, agencies request additional information, such as copies
of the original background investigation. Moreover, because of the
different types of background investigations required by individual
agencies, agencies may perform additional investigative work or
request a new background investigation.
In addition to addressing limitations with available information,
agency officials reported that additional steps must sometimes be
taken to conduct suitability determinations or ensure that a prior
clearance investigation and adjudication meet their standards before
granting reciprocity. All federal agencies conduct basic suitability
determinations to ensure that the applicant's character or conduct is
appropriate for the position in question, but some agencies take
additional actions to determine the suitability of applicants before
they reciprocate a security clearance. For example, the Department of
Justice must take steps to ensure that applicants for jobs with the
Drug Enforcement Administration have not used drugs, according to
agency officials. Similarly, the Intelligence Community requires a
polygraph evaluation, among other things, to determine suitability for
most positions, according to intelligence officials. Some agencies
take steps to ensure that a prior clearance meets their quality
expectations. Most agency officials stated that the lack of
governmentwide standardized training and certification process for
investigators and adjudicators is a challenge to immediately
reciprocating a security clearance. Without governmentwide
standardized training and certification, agencies cannot be certain
that a subject's prior clearance investigation and adjudication meet
the quality expectations of the inquiring agency. Consequently, as we
have previously reported, agencies are reluctant to be accountable for
investigations and/or adjudications conducted by other agencies or
organizations.[Footnote 18] Although OPM has developed some training,
security clearance investigators and adjudicators are not required to
complete a certain type or number of classes. However, the annual
reports to Congress indicate that the Performance Accountability
Council is taking steps to make investigations and adjudications more
consistent across the government by standardizing the training of
investigators and adjudicators.[Footnote 19]
While the Performance Accountability Council has identified
reciprocity as a governmentwide strategic goal, there is no clear
evidence to show the extent to which reciprocity is granted because
agencies lack comprehensive, standardized metrics to track
reciprocity. We previously reported that developing metrics for
assessing and regularly monitoring all aspects of the clearance
process could add value in current and future reform efforts as well
as supply better information for greater congressional oversight.
[Footnote 20] However, we found that agencies do not consistently
document the additional steps they have taken prior to granting a
reciprocal clearance. For example, the Navy keeps electronic
documentation, the Department of Energy and the Department of the
Treasury keep paper documentation, and the Army and the Air Force do
not maintain any documentation on the additional steps taken to accept
a previously granted security clearance. Consequently, there is no
consistent tracking of the amount of staff time spent on the
additional actions that are taken to honor a previously granted
security clearance. In addition, agencies do not consistently and
comprehensively track the extent to which reciprocity is granted.
While OPM has a metric to track reciprocity, this metric captures
limited information, such as numbers of requested and rejected
investigations, but not the number of cases in which a previously
granted security clearance was or was not honored. Similarly, the
metrics proposed by the Performance Accountability Council do not
track the extent to which reciprocity is or is not ultimately honored.
For example, metrics proposed by the Performance Accountability
Council, such as the number of duplicate requests for investigations,
percentage of applications submitted electronically, number of
electronic applications submitted by applicants but rejected by OPM as
unacceptable because of missing information or forms, and percentage
of fingerprint submissions determined to be "unclassifiable" by the
Federal Bureau of Investigation, provide useful information but do not
track the extent to which reciprocity is or is not ultimately honored.
Without comprehensive, standardized metrics to track reciprocity, and
documentation of the process, decision makers lack a complete picture
of the extent to which reciprocity is granted and the challenges to
honoring previously granted security clearances.
To further improve governmentwide reciprocity, we recommended that the
Deputy Director of Management, Office of Management and Budget, in the
capacity as Chair of the Performance Accountability Council, develop
comprehensive metrics to track reciprocity and then report the
findings from the expanded tracking to Congress. OMB concurred with
our recommendation, stating that the Performance Accountability
Council is working to develop these additional metrics. We are
encouraged by the Performance Accountability Council's development of
quality metrics, which include some metrics for tracking reciprocity.
Although these are positive steps that can contribute to greater
visibility over the clearance process, these measures have not yet
been fully implemented and we are continuing to examine these efforts
as part of our ongoing work.
Although There are No Plans to Develop a Single, Integrated Database,
Steps Have Been Taken to Upgrade Existing Systems and Increase
Information Sharing:
Although there are no plans to develop a single, integrated database
as called for in IRTPA, the Performance Accountability Council is
focusing on leveraging existing systems and increasing information
sharing by developing a single search capability through OPM's system,
the Central Verification System. IRTPA required that no later than 12
months after the date of its enactment, the Director of OPM and the
Director of OMB establish and commence operating and maintaining a
single, integrated database of security clearance information.
[Footnote 21] This database was to house information regarding the
granting, denial, or revocation of security clearances or access
pertaining to military, civilian, and contractor personnel, from all
authorized investigative and adjudicative agencies. However, the
Performance Accountability Council is not pursuing a single,
integrated database, according to our analysis of a series of recent
reports that the Joint Reform Team issued from 2008 through 2010.
[Footnote 22] For example, according to the Enterprise Information
Technology Strategy, the Performance Accountability Council has opted
to pursue an approach that leverages existing systems and involves the
development of new tools when necessary.[Footnote 23] Similarly,
according to the most recent annual report to Congress, the reform
efforts are focused on leveraging OPM's existing system--the Central
Verification System--to enable access to records on investigations and
adjudications.[Footnote 24] Agency officials from both OPM and ODNI
confirmed that there are no plans to create a new single, integrated
database and explained that establishing, operating, and maintaining a
single, integrated database is not a viable option because of concerns
related to privacy, security, and data ownership. Privacy concerns
involve the unintentional disclosure of personal identifying
information, such as names and Social Security numbers. Merging
different systems into one database could result in the unintentional
disclosure of personal identifying information that could compromise
security. For example, since the Intelligence Community's database is
classified and separate from the databases used by nonintelligence
agencies, even an aggregation of unclassified information from its
database could lead to unintentional disclosure of personal
identifying information that could compromise security. Moreover,
breaches in the system could compromise security. For example, some
officials mentioned an enhanced threat from hackers if there were
consolidation of multiple information technology systems.
Although there are no plans to create a new governmentwide database,
officials representing nonintelligence executive branch agencies in
our review stated that they are sharing information about personnel
who hold or are seeking security clearances through two main databases
that can be accessed through a single entry point. Two primary
databases are used by nonintelligence agencies to store investigative
and adjudicative information, and according to the Performance
Accountability Council, they account for decisions on about 90 percent
of all security clearance holders in the federal government. Data are
stored in either OPM's Central Verification System or DOD's Joint
Personnel Adjudication System. The Central Verification System
includes security clearance data for all non-Intelligence Community
executive branch agencies. The Joint Personnel Adjudication System is
a repository for security clearance information on both DOD civilian
and military personnel, as well as determinations of contractor
clearance eligibility and access for the National Industrial Security
Program. Data from the two databases can be searched and obtained from
a single entry point in the Central Verification System.[Footnote 25]
Officials representing Intelligence Community agencies reported that
they are sharing information with one another through a separate
classified database known as Scattered Castles. Scattered Castles is a
repository for records from all intelligence agencies by which each
agency uploads relevant information from individual agency databases.
All personnel who have access to Sensitive Compartmented Information
are listed in Scattered Castles.[Footnote 26] This system is not
linked to OPM's Central Verification System because of concerns about
protecting classified information. According to ODNI officials, the
system has not been linked to nonintelligence databases because of the
need to protect information on covert personnel. However, officials
representing Intelligence Community agencies stated that they do enter
some information from DOD's Joint Personnel Adjudication System into
Scattered Castles.
Although the Intelligence Community maintains a separate database,
most of the nonintelligence agencies included in our review had some
access to Scattered Castles and the Intelligence Community is
exploring alternatives to expand information sharing with
nonintelligence agencies. Nonintelligence agencies may have access to
Scattered Castles through Sensitive Compartmented Information
facilities located in their agency.[Footnote 27] All of the military
departments, as well as well as the Joint Chiefs of Staff, also had
some access.[Footnote 28] Moreover, according to agency officials, DOD
adjudicators with the appropriate clearance and need to know will have
access to a Sensitive Compartmented Information facility with access
to Scattered Castles when DOD colocates all of its clearance
adjudication facilities at Fort Meade in Maryland as part of the DOD
base realignment and closure process in 2011. According to Performance
Accountability Council officials, the Performance Accountability
Council is exploring ways to enhance information sharing between the
Intelligence Community agencies and the nonintelligence agencies. This
working group is studying alternatives to support a single-access
point from which to search clearance information and plans to complete
its review in December 2010.
In summary, Madam Chairwoman, our overall observations of the current
reform efforts are that they represent positive steps to improve the
clearance process. As we noted in our report, continued personnel
security clearance reform relies on strong committed executive
leadership to sustain the momentum created by the current reform
effort. This type of leadership, in turn, helps provide oversight and
accountability for the improvement process. Key to these efforts has
been the Performance Accountability Council, which has provided
direction for the clearance reform across the federal government. We
are encouraged that the Performance Accountability Council's efforts
during the past year have included several actions to improve the
process. Timeliness data--particularly at DOD--have improved, steps
have been taken to improve information sharing, and there has been
focus on honoring reciprocity of existing clearances. However, while
agencies are moving closer to meeting the objectives and requirements
of IRTPA, continued oversight and accountability for personnel
security clearance reform is still needed.
Madam Chairwoman, this concludes my prepared statement. I would be
pleased to respond to any questions that you or members of the
subcommittee may have at this time.
GAO Contact and Staff Acknowledgments:
For further information about this statement, please contact Brenda S.
Farrell at (202) 512-3604 or farrellb@gao.gov. Contact points for our
Offices of Congressional Relations and Public Affairs may be found on
the last page of this statement. Key contributors to this statement
were Liz McNally, Assistant Director; Joseph M. Capuano; Cindy
Gilbert; Linda Keefer; James Krustapentus; Gregory Marchand; and
Jillena Roberts.
[End of section]
Related GAO Products:
GAO, Personnel Clearances: Key Factors to Consider in Efforts to
Reform Security Clearance Processes, [hyperlink,
http://www.gao.gov/products/GAO-08-352T] (Washington, D.C.: Feb. 27,
2008).
DOD Personnel Clearances: Preliminary Observations on DOD's Progress
on Addressing Timeliness and Quality Issues. [hyperlink,
http://www.gao.gov/products/GAO-11-185T]. Washington, D.C.: November
16, 2010.
Privacy: OPM Should Better Monitor Implementation of Privacy-Related
Policies and Procedures for Background Investigations. [hyperlink,
http://www.gao.gov/products/GAO-10-849. Washington, D.C.: September 7,
2010.
Personnel Security Clearances: An Outcome-Focused Strategy and
Comprehensive Reporting of Timeliness and Quality Would Provide
Greater Visibility over the Clearance Process. [hyperlink,
http://www.gao.gov/products/GAO-10-117T]. Washington, D.C.: October 1,
2009.
Personnel Security Clearances: Progress Has Been Made to Reduce Delays
but Further Actions Are Needed to Enhance Quality and Sustain Reform
Efforts. [hyperlink, http://www.gao.gov/products/GAO-09-684T].
Washington, D.C.: September 15, 2009.
Personnel Security Clearances: An Outcome-Focused Strategy Is Needed
to Guide Implementation of the Reformed Clearance Process. [hyperlink,
http://www.gao.gov/products/GAO-09-488]. Washington, D.C.: May 19,
2009.
DOD Personnel Clearances: Comprehensive Timeliness Reporting, Complete
Clearance Documentation, and Quality Measures Are Needed to Further
Improve the Clearance Process. [hyperlink,
http://www.gao.gov/products/GAO-09-400]. Washington, D.C.: May 19,
2009.
High-Risk Series: An Update. [hyperlink,
http://www.gao.gov/products/GAO-09-271]. Washington, D.C.: January
2009.
DOD Personnel Clearances: Preliminary Observations about Timeliness
and Quality. [hyperlink, http://www.gao.gov/products/GAO-09-261R].
Washington, D.C.: December 19, 2008.
Personnel Security Clearances: Preliminary Observations on Joint
Reform Efforts to Improve the Governmentwide Clearance Eligibility
Process. [hyperlink, http://www.gao.gov/products/GAO-08-1050T].
Washington, D.C.: July 30, 2008.
Personnel Clearances: Questions for the Record Regarding Security
Clearance Reform. [hyperlink,
http://www.gao.gov/products/GAO-08-965R]. Washington, D.C.: July 14,
2008.
Personnel Clearances: Key Factors for Reforming the Security Clearance
Process. [hyperlink, http://www.gao.gov/products/GAO-08-776T].
Washington, D.C.: May 22, 2008.
Employee Security: Implementation of Identification Cards and DOD's
Personnel Security Clearance Program Need Improvement. [hyperlink,
http://www.gao.gov/products/GAO-08-551T]. Washington, D.C.: April 9,
2008.
DOD Personnel Clearances: Questions for the Record Related to the
Quality and Timeliness of Clearances. [hyperlink,
http://www.gao.gov/products/GAO-08-580R]. Washington, D.C.: March 25,
2008.
DOD Personnel Clearances: DOD Faces Multiple Challenges in Its Efforts
to Improve Clearance Processes for Industry Personnel. [hyperlink,
http://www.gao.gov/products/GAO-08-470T]. Washington, D.C.: February
12, 2008.
Personnel Clearances: Key Factors to Consider in Efforts to Reform
Security Clearance Processes. [hyperlink,
http://www.gao.gov/products/GAO-08-352T]. Washington, D.C.: February
27, 2008.
DOD Personnel Clearances: Improved Annual Reporting Would Enable More
Informed Congressional Oversight. [hyperlink,
http://www.gao.gov/products/GAO-08-350]. Washington, D.C.: February
13, 2008.
DOD Personnel Clearances: Delays and Inadequate Documentation Found
for Industry Personnel. [hyperlink,
http://www.gao.gov/products/GAO-07-842T]. Washington, D.C.: May 17,
2007.
High Risk Series: An Update. [hyperlink,
http://www.gao.gov/products/GAO-07-310. Washington, D.C.: January 2007.
DOD Personnel Clearances: Additional OMB Actions Are Needed to Improve
the Security Clearance Process. [hyperlink,
http://www.gao.gov/products/GAO-06-1070. Washington, D.C.: September
28, 2006.
DOD Personnel Clearances: Questions and Answers for the Record
Following the Second in a Series of Hearings on Fixing the Security
Clearance Process. [hyperlink,
http://www.gao.gov/products/GAO-06-693R]. Washington, D.C.: June 14,
2006.
DOD Personnel Clearances: New Concerns Slow Processing of Clearances
for Industry Personnel. [hyperlink,
http://www.gao.gov/products/GAO-06-748T]. Washington, D.C.: May 17,
2006.
DOD Personnel Clearances: Funding Challenges and Other Impediments
Slow Clearances for Industry Personnel. [hyperlink,
http://www.gao.gov/products/GAO-06-747T]. Washington, D.C.: May 17,
2006.
Questions for the Record Related to DOD's Personnel Security Clearance
Program and the Government Plan for Improving the Clearance Process.
[hyperlink, http://www.gao.gov/products/GAO-06-323R]. Washington,
D.C.: January 17, 2006.
DOD Personnel Clearances: Government Plan Addresses Some Long-standing
Problems with DOD's Program, But Concerns Remain. [hyperlink,
http://www.gao.gov/products/GAO-06-233T]. Washington, D.C.: November
9, 2005.
DOD Personnel Clearances: Some Progress Has Been Made but Hurdles
Remain to Overcome the Challenges That Led to GAO's High-Risk
Designation. [hyperlink, http://www.gao.gov/products/GAO-05-842T].
Washington, D.C.: June 28, 2005.
High-Risk Series: An Update. [hyperlink,
http://www.gao.gov/products/GAO-05-207]. Washington, D.C.: January
2005.
[End of section]
Footnotes:
[1] GAO, High-Risk Series: An Update, [hyperlink,
http://www.gao.gov/products/GAO-05-207] (Washington, D.C.: January
2005); High-Risk Series: An Update, [hyperlink,
http://www.gao.gov/products/GAO-07-310] (Washington, D.C.: January
2007); and High-Risk Series: An Update, [hyperlink,
http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: January
2009).
[2] Pub. L. No. 108-458, § 3001 (2004) (codified at 50 U.S.C. 435b).
While IRTPA was a far-reaching act with many broad implications, our
references to it throughout this testimony pertain solely to section
3001, unless otherwise specified.
[3] This team also now includes representatives of the Office of
Management and Budget and Office of Personnel Management.
[4] [hyperlink, http://www.gao.gov/products/GAO-09-271].
[5] In the past three years, GAO has also testified on security
clearance reform before (1) the Subcommittee on Oversight of
Government Management, the Federal Workforce, and the District of
Columbia, Senate Committee on Homeland Security and Governmental
Affairs; (2) the Subcommittee on Government Management, Organization,
and Procurement, House Committee on Oversight and Government Reform;
and (3) the Subcommittee on Readiness, House Committee on Armed
Services.
[6] Pub. L. No. 111-259, §367 (2010).
[7] We met with DOD officials from the Air Force, Army, Navy, Defense
Industrial Security Clearance Office, Defense Intelligence Agency,
Defense Office of Hearings and Appeals, Washington Headquarters
Service, and Joint Chiefs of Staff Central Adjudication Facilities.
[8] We met with officials from the Central Intelligence Agency,
Defense Intelligence Agency, Federal Bureau of Investigation, National
Geospatial-Intelligence Agency, National Reconnaissance Office,
National Security Agency, and the Department of State.
[9] We met with officials from the Departments of Energy, Health and
Human Services, Homeland Security, Justice, the Treasury, and Veterans
Affairs. We selected agencies based on their ability to meet a
combination of one or more of the following criteria: (1) utilizes OPM
to conduct security clearance investigations, (2) conducts an average
of at least 5,000 cases per year, (3) is an Intelligence Community
agency, or (4) is a member of the Performance Accountability Council.
Because this is a nonprobability sample, our findings do not
generalize to the agencies that we did not include in our review.
[10] Our analysis of timeliness data does not include the following
elements of the agencies in our review: Department of Homeland
Security: Homeland Security Headquarters, Immigration and Customs
Enforcement, U.S. Secret Service, U.S. Customs and Border Protection,
select positions in the U.S. Coast Guard; Department of Justice:
Bureau of Alcohol, Tobacco, Firearms and Explosives; and Department of
the Treasury: Bureau of the Public Debt, Bureau of Engraving and
Printing.
[11] Pub. L. No. 108-458, § 3001 (2004) (codified at 50 U.S.C. §
435b). According to IRTPA, this period shall include a period of not
longer than 40 days to complete the investigative phases of the
clearance review and a period of not longer than 20 days to complete
the adjudicative phase of the clearance review. These measures apply
to initial personnel security clearances (i.e., cases in which
individuals who enter positions in government or industry that require
a clearance do not have a clearance or have not been granted
reciprocity).
[12] The Performance Accountability Council timeliness reports on
initial clearance include DOD secret/confidential renewal cases.
[13] The Intelligence Authorization Act for Fiscal Year 2010 extended
this reporting requirement beyond 2011. Pub.L. No. 111-259, § 367
(2010).
[14] Pub. L. No. 108-458, § 3001(d) (2004) (codified at 50 U.S.C.
435b(d)).
[15] ODNI Intelligence Community Policy Guidance 704.4, Reciprocity of
Personnel Security Clearance and Access Determinations (Oct. 2, 2008).
[16] Office of Management and Budget, Memorandum for Deputies of
Executive Departments and Agencies: Reciprocal Recognition of Existing
Personnel Security Clearances. (Dec. 12, 2005); Office of Management
and Budget, Memorandum for Deputies of Executive Departments and
Agencies: Reciprocal Recognition of Existing Personnel Security
Clearances (July 17, 2006).
[17] Intelligence Community Standard 2008-700-1 defines scope as the
time period to be covered and the sources of information to be
contacted during the prescribed course of a personnel security
investigation. OMB considers significant scope deficiencies to be
deviations. Therefore, agencies are not required to honor a previous
clearance that is not "in-scope". Furthermore, challenges identified
in this section of the report may not apply to "out-of-scope"
clearances.
[18] GAO, Personnel Clearances: Key Factors to Consider in Efforts to
Reform Security Clearance Processes, [hyperlink,
http://www.gao.gov/products/GAO-08-352T] (Washington, D.C.: Feb. 27,
2008).
[19] GAO, Personnel Security Clearances: An Outcome-Focused Strategy
Is Needed to Guide Implementation of the Reformed Clearance Process,
[hyperlink, http://www.gao.gov/products/GAO-09-488] (Washington, D.C.:
May 19, 2009).
[20] [hyperlink, http://www.gao.gov/products/GAO-08-352T].
[21] Pub. L. No. 108-458, § 3001 (e) (2004) (codified at 50 U.S.C. §
435b(e)).
[22] Joint Security Clearance Process Reform Team, Enterprise
Information Technology Strategy (Washington, D.C., Mar. 17, 2009);
Joint Security Clearance Process Reform Team, Security and Suitability
Process Reform (Washington, D.C., April 2008 and updated December
2008); and Joint Security and Suitability Reform Team, Security and
Suitability Process Reform: Strategic Framework (Washington, D.C.:
February 2010).
[23] Joint Security and Suitability Reform Team, Enterprise
Information Technology Strategy (Washington, D.C.: Mar. 17, 2009).
[24] Joint Security and Suitability Reform Team, Security and
Suitability Process Reform: Strategic Framework (Washington, D.C.:
February 2010).
[25] DOD data available through this single entry point include names,
Social Security numbers, and date and type of investigation.
[26] Sensitive Compartmented Information is classified intelligence
information derived from intelligence sources, methods, or analytical
processes that is required to be protected within formal access
control systems established and overseen by the Director of National
Intelligence.
[27] The nonintelligence, non-DOD agencies include the Department of
Energy, Department of Justice, Department of the Treasury, Department
of Homeland Security, Department of Health and Human Services, and
Department of Veterans Affairs.
[28] The Army Central Adjudication Facility said that its access was
on a case-by-case basis.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: